Professional Documents
Culture Documents
Migrating to Azure Sentinel - Data Sheet
Migrating to Azure Sentinel - Data Sheet
Migrating to Azure Sentinel - Data Sheet
Azure Sentinel is a cloud-native SIEM + SOAR (security information and event management +
security orchestration and automated response) solution, collecting and analyzing data across all users,
devices, and applications—both on-premises and in multiple clouds. Powered by artificial intelligence
(AI) and enhanced with automation, Azure Sentinel enables real-time detection without the costly
infrastructure required by an on-premises SIEM. Thanks to its cloud-native nature, Azure Sentinel is 48
percent less expensive than legacy SIEMs, 67 percent faster to deploy, and enables 80 percent less
investigation effort.*
1
There are three phases of a typical Azure Sentinel migration architecture.
On-premises SIEM architecture: Analytics and database functions reside fully on-premises—
your “before” state.
Side-by-side architecture: Two SIEMs, one on-premises and one in the cloud, are used at the
same time. Typically, you’ll need to do this for some period of time during migration.
Cloud-native architecture: Both security analytics and data storage reside in the cloud. This is
your full Azure Sentinel deployment.
* The Total Economic Impact™ of Microsoft Azure Sentinel, by Forrester Consulting, 2020
Operating side by side with a legacy SIEM
Actions to undertake while operating a transitional or extended side-by-side deployment.
PHASE Migrating data: Ask yourself, is this data source valuable? Think holistically about your use
2
cases, then map the data required to support them. Identify any gaps in your visibility.
Migrating detection rules: Translate existing detection rules to map to Azure Sentinel.
Sentinel also provides a powerful query language that can be used across other Microsoft
solutions, such as Microsoft Defender for Endpoint and Application Insights.
Migrating analytics: Azure Sentinel has more than 400 built-in detections covering more
than 40 connectors. Turning on UEBA analytics will provide immediate insights into behavioral
anomalies.
Migrating automation: Where do you really need to save time? Automated workflows
enable you to group and prioritize alerts into a common incident. Also, automated playbooks
in Azure Sentinel enable easy integration with third-party ticketing solutions.
3
legacy SIEM includes:
People: Make sure everyone on your team is trained on Azure Sentinel and feels comfortable
leaving the legacy SIEM.
Technology: Check critical data to make sure sources and alerts are available in Azure
Sentinel. Archive all records of past incidents and cases (raw data optional) to retain
institutional history.
Processes: Update investigation and hunting processes and ensure that all key metrics can
be obtained completely from Azure Sentinel. Create custom workbooks, or use built-in
workbook templates to quickly gain insights as soon as you connect to data sources. Make
sure all current cases are transferred to the new system (including required source data).
Learn more
Visit the Azure Sentinel homepage and download the white paper:
Azure Sentinel Migration Fundamentals ▶